Aliases: WORM_MOBLER.A, Worm.Win32.Mobler.a, W32/Mobler-A
Variants: W32/Mobler.worm, Worm/Mobler.C

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 01 Sep 2006
Damage: Low

Characteristics: The W32.Mobler.A worm infects systems by copying itself to every writable media on the target machine which includes network shares, floppy drives and USB drives. The worm’s copies will have filenames similar to that of the compromised machine’s names and of folders and files located in the infected drive. This action fools the user into thinking that the copy is the original file, thereby allowing the worm to hide behind it.

More details about W32.Mobler.A

This security threat will copy itself in the system as an EXE file after execution and will drop several other files which include an AUTORUN.INF file. This file will allow the worm’s dropped copies to run every time that the infected drive is accessed. It will then create a folder and share it and drop more files which are considered non-malicious. Next, the worm will make an archive file in the .SIS extension which will have a copy of its code and other non-malicious files and then hide the Windows folder. This malware is also capable of making several changes to the Registry for various malicious tasks. It will add a value to 2 registry subkeys to permit its execution whenever the Windows operating system starts.

The worm W32.Mobler.A will likewise add a value to certain registry subkeys to implement spawning of the registry shell so that it can run when file of specific types are executed. The malware will also add values to a specific registry subkey to deactivate the Folders Options item found in the drop down menu of Tools in the Search option and Windows Explorer. It will likewise add values to a registry subkey to deactivate the Folder Options item found in the drop down menu of Tools in the Registry Tools and Windows Task Manager. Then, the worm will proceed to add values to numerous registry entries to block specific applications and files from running using the Start, then Run feature. The worm also launches a DOS or Denial of Service attack on a particular website.